[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Classpathx-javamail] Re: Bug#304712: [Fwd: Bug#304712: avaMail allows d
From: |
Arnaud Vandyck |
Subject: |
[Classpathx-javamail] Re: Bug#304712: [Fwd: Bug#304712: avaMail allows directory traversal in attachments (CAN-2005-1105)] |
Date: |
Mon, 18 Apr 2005 10:55:38 +0200 |
User-agent: |
Gnus/5.1007 (Gnus v5.10.7) Emacs/21.4 (gnu/linux) |
Sight ;-)
Sat, 16 Apr 2005 12:17:41 +0100,
Chris Burdess <address@hidden> wrote:
> Mark Wielaard wrote:
>> From: Joey Hess <address@hidden>
>> Date: April 14, 2005 22:38:42 BST
>> Resent-To: address@hidden
>> To: Debian Bug Tracking System <address@hidden>
>> Resent-Cc: Debian Java Maintainers
>> <address@hidden>
>> Subject: Bug#304712: avaMail allows directory traversal in attachments
>> (CAN-2005-1105)
>> Reply-To: Joey Hess <address@hidden>, address@hidden
>>
>>
>> Package: libgnumail-java
>> Version: 1.0
>> Severity: normal
>> Tags: security
>>
>> CAN-2005-1105 describes a vulnerability in the JavaMail API:
>>
>> MimeBodyPart.getFileName () method in the JavaMail API doesn't
>> properly
>> validate filename attribute in Content-Disposition header, which
>> makes it
>> vulnerable to directory traversal attacks. Successful exploitation of
>> this vulnerability allows writing arbitrary content in any directory
>> accessible to the servlet running JavaMail.
>>
>> http://marc.theaimsgroup.com/?l=bugtraq&m=111335615600839&w=2
>>
>> Multiple imeplementations of this API are vulnerable, including
>> libgnumail-java. Unless each program using libgnumail-java does its own
>> checks of the filename for directory traversal attacks, this lack of
>> sanity checking can allow overwriting of a user's files.
>>
>> I think this security hole is fairly theoretical at the moment since it
>> seems only ant in Debian uses libgnumail-java, and it seems to only use
>> it to send mail.
>
> I don't really understand the problem here. Surely the "vulnerability"
> is introduced by the code described at the given URL (the
> saveMailAttachment method), rather than in the JavaMail framework?
> JavaMail is simply reporting what's in the actual message - it's up to
> the application to take measures to protect the user's
> security. JavaMail doesn't write the attachment to a file in any way.
> --
> Chris Burdess
>
>
>
> _______________________________________________
> pkg-java-maintainers mailing list
> address@hidden
> http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
>
--
.''`.
: :' :rnaud
`. `'
`-
Java Trap: http://www.gnu.org/philosophy/java-trap.html
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Classpathx-javamail] Re: Bug#304712: [Fwd: Bug#304712: avaMail allows directory traversal in attachments (CAN-2005-1105)],
Arnaud Vandyck <=